Microsoft’s Edge browser has finally joined Mozilla Firefox and Google’s Chrome in supporting a working version of the emerging WebAuthn (Web Authentication) standard that aims to rid the world of passwords once and for all.
All browser makers have been privately working with the WebAuth API for a couple of years but what counts is supporting the W3C Candidate Recommendation (CR) WebAuthn.
Firefox added this from version 60 in May, and Chrome from version 67 a few weeks later, while Microsoft’s is still only part of Windows 10 Insider ‘Redstone 5’ Preview Build 17723 released last week.
This means the wider public won’t get their paws on Edge’s CR WebAuthn until Windows 10 version 1809 in October, or perhaps 1903 due to appear sometime in the first half of 2019.
But as the history of security standards shows, enabling something and people using it are two different things, which might explain why the company has been in no rush with WebAuthn.
But what is WebAuthn anyway? Microsoft’s announcement sums it up quite well:
With Web Authentication, Microsoft Edge users can sign in with their face, fingerprint, PIN, or portable FIDO2 devices, leveraging strong public-key credentials instead of passwords.
So WebAuthn isn’t just another way to log into websites – the key feature is the ability to do this without having to use a password at any point.
Getting rid of passwords is good for all sorts of reasons – mainly that they are easy to phish – but it’s vital that whatever replaces them is better.
The principle behind WebAuthn is simply that tokens (FIDO U2F keys), and biometric systems such as Windows Hello (someone’s face or fingerprint) let people authenticate using cryptographically secure secrets that are very hard or even impossible to steal or lose.
That being true, abolishing secrets that can be stolen – passwords and usernames – becomes logical. At the very worst you’re no more insecure and there’s nothing to remember, change or re-use on lots of sites in a way that supercharges credential stuffing attacks.
As with so many of the security innovations Naked Security covers, this idea isn’t that new but until WebAuthn there was no standard to make it possible across not only browsers but websites too.
One could think of two-factor or multi-factor authentication (where users enter a password along with a token or code) as the first stage of this shakeup. The idea was that once the authentication technologies became more familiar and usability improved, people would feel more confident in abandoning passwords altogether.
Unfortunately, it hasn’t been that simple – only a small minority have taken up 2FA and MFA, perhaps because it seemed like another extra hassle on top of the already annoying password layer.
WebAuthn is like going cold turkey. Passwords just suddenly disappear. To ease the transition, Microsoft is trying to make Windows Hello more mainstream on Windows 10 while Google recently announced that it will start selling its own FIDO U2F token, the Titan, as it bids to popularise the technology.
In the end it might unfold as a generational shift in which younger consumers take to WebAuthn while older heads stick to what they know for longer. However, what we can be sure of with every passing announcement is that WebAuthn is coming sooner rather than later.